Search Guard SSL for Elasticsearch 2.1 released

Elasticsearch SSL for free.

Search Guard SSL is a free and open source plugin for Elasticsearch which provides SSL for Elasticsearch. It does not provide authentication and authorization.

Prerequisites:

  • Java 7 or 8 (recommended)
  • Elasticsearch 2.1.0

Hi,
This is very useful! Can you clarify if this is backward compatible with an earlier version of Elasticsearch (1.7x)?

Thanks!

···

On Saturday, 12 December 2015 11:59:24 UTC-8, in...@search-guard.com wrote:

Elasticsearch SSL for free.

Search Guard SSL is a free and open source plugin for Elasticsearch which provides SSL for Elasticsearch. It does not provide authentication and authorization.

https://github.com/floragunncom/search-guard-ssl

Prerequisites:

  • Java 7 or 8 (recommended)
  • Elasticsearch 2.1.0

not backward compatible, but you can use https://github.com/floragunncom/search-guard/

···

Am 07.01.2016 um 00:01 schrieb Praveen Herur <praveen.herur@gmail.com>:

Hi,
This is very useful! Can you clarify if this is backward compatible with an earlier version of Elasticsearch (1.7x)?

Thanks!

On Saturday, 12 December 2015 11:59:24 UTC-8, in...@search-guard.com wrote:
Elasticsearch SSL for free.

Search Guard SSL is a free and open source plugin for Elasticsearch which provides SSL for Elasticsearch. It does not provide authentication and authorization.

https://github.com/floragunncom/search-guard-ssl

Prerequisites:

  • Java 7 or 8 (recommended)
  • Elasticsearch 2.1.0

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/b2ebf067-67bf-418d-b23d-56869c464201%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hello,

I’m configuring search-guard-ssl for elasticseach 2.1 but encountered some problems. Below is my configuration and the log information when starting elasticsearch. Could you please tell me what’s wrong with my configuration? Thanks a lot!

My configuration by referring to the wiki:

  1. generate the root ca by “./gen_root_ca.sh capassword_use_a_strong_one truststorepassword”
  2. sign CSR’s with the newly generated root CA above
    openssl ca \
-in ca/signing-ca.csr \
-notext \
-out signed-csr.pem \
-config etc/signing-ca.conf \
-extensions v3_req \
-batch \
-passin pass:capassword_use_a_strong_one \
-extensions server_ext
3. distribute the truststore.jks(generated in step 1) to all elasticsearch node(I have only one elasticsearch node, named "elasticsearch-129") and put it into config dir.
4. Generate for **each** node a **separate** keystore.
        #Generate a new key
keytool -genkey \
-alias NODE_NAME \
-keystore NODE_NAME-keystore.jks \
-keyalg RSA \
-keysize 2048 \
-validity 712 \
-keypass mykspassword \
-storepass mykspassword \
-dname "CN=127.0.0.1, OU=department, O=company, L=localityName, C=US"
#Generate a CSR (Certificate signing request)
keytool -certreq \
-alias elasticsearch-129 \
-keystore elasticsearch-129-keystore.jks \
-file elasticsearch-129.csr \
-keyalg rsa \
-keypass mykspassword \
-storepass mykspassword \
-dname "CN=127.0.0.1, OU=department, O=company, L=localityName, C=US"
5. sign CRS generated above with the root ca generated in step 1.

6. import the signed CSR together with the root certificate chain into the keystore
cat ca/chain-ca.pem elasticsearch-129.pem | keytool \
-importcert \
-keystore elasticsearch-129-keystore.jks \
-storepass mykspassword \
-noprompt \
-alias elasticsearch-129
7. distribute the elasticsearch-129-keystore.jks to elasticsearch node and put it into the config dir.

Above is all my configuration. The following is the start log and I've highlighted the error message.

./bin/elasticsearch
[2016-02-02 16:53:33,146][WARN ][bootstrap] unable to install syscall filter: prctl(PR_GET_NO_NEW_PRIVS): Invalid argument
[2016-02-02 16:53:33,359][INFO ][node] [elasticsearch-129] version[2.1.0], pid[26946], build[72cd1f1/2015-11-18T22:40:03Z]
[2016-02-02 16:53:33,359][INFO ][node ] [elasticsearch-129] initializing …
[2016-02-02 16:53:33,582][INFO ][plugins] [elasticsearch-129] loaded [search-guard-ssl], sites
[2016-02-02 16:53:33,604][INFO ][env] [elasticsearch-129] using [1] data paths, mounts [[/home/work (/dev/sda3)]], net usable_space [82.3gb], net total_space [116.1gb], spins? [possibly], types [ext3]
[2016-02-02 16:53:33,659][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL not available because of java.lang.UnsatisfiedLinkError: netty-tcnative (Not found in java.library.path)
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportClientProvider:JDK
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportServerProvider:JDK
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslHTTPProvider:null
[2016-02-02 16:53:34,273][WARN ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] AES 256 not supported, max key length for AES is 128. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’
[2016-02-02 16:53:34,273][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isOpenSSL:false
[2016-02-02 16:53:34,273][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isJDKSSL:true
[2016-02-02 16:53:34,626][INFO ][transport] [elasticsearch-129] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]
[2016-02-02 16:53:36,168][INFO ][node] [elasticsearch-129] initialized
[2016-02-02 16:53:36,168][INFO ][node] [elasticsearch-129] starting …
[2016-02-02 16:53:36,231][INFO ][transport] [elasticsearch-129] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2016-02-02 16:53:36,239][INFO ][discovery] [elasticsearch-129] elasticsearch/TjQJb5iiQkGZcwW9lCjPWA
[2016-02-02 16:53:36,271][WARN ][com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [elasticsearch-129] exception caught on transport layer [[id: 0xf49f9829]], closing connection
java.lang.IllegalArgumentException: File does not contain valid certificates: /tmp/sg_609338662165226698.pem

at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:135)
at com.floragunn.searchguard.ssl.SearchGuardKeyStore.createClientTransportSSLEngine(SearchGuardKeyStore.java:305)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport$ClientSSLHandler.connectRequested(SearchGuardSSLNettyTransport.java:120)
at org.jboss.netty.channel.SimpleChannelHandler.handleDownstream(SimpleChannelHandler.java:272)
at org.jboss.netty.channel.DefaultChannelPipeline.sendDownstream(DefaultChannelPipeline.java:591)
at org.jboss.netty.channel.DefaultChannelPipeline.sendDownstream(DefaultChannelPipeline.java:582)
at org.jboss.netty.channel.Channels.connect(Channels.java:634)
at org.jboss.netty.channel.AbstractChannel.connect(AbstractChannel.java:216)
at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.jav a:229)
at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182)
at org.elasticsearch.transport.netty.NettyTransport.connectToChannelsLight(NettyTransport.java:913)
at org.elasticsearch.transport.netty.NettyTransport.connectToNode(NettyTransport.java:880)
at org.elasticsearch.transport.netty.NettyTransport.connectToNodeLight(NettyTransport.java:852)
at org.elasticsearch.transport.TransportService.connectToNodeLight(TransportService.java:250)
at org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing$3.run(UnicastZenPing.java:395)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:785)
Caused by: java.security.cert.CertificateException: found no certificates: /tmp/sg_609338662165226698.pem
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:83)
at io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:967)
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:133)
… 17 more

I’m new with SSL configuration. Thank you for your help.

···

On Sunday, December 13, 2015 at 3:59:24 AM UTC+8, in...@search-guard.com wrote:

Elasticsearch SSL for free.

Search Guard SSL is a free and open source plugin for Elasticsearch which provides SSL for Elasticsearch. It does not provide authentication and authorization.

https://github.com/floragunncom/search-guard-ssl

Prerequisites:

  • Java 7 or 8 (recommended)
  • Elasticsearch 2.1.0

you can ignore all messages but not the last (java.lang.IllegalArgumentException: File does not contain valid certificates: /tmp/sg_609338662165226698.pem)

can you please post your elasticsearch.yml file?

···

Am Dienstag, 2. Februar 2016 11:15:12 UTC+1 schrieb …cp@…m.com:

Hello,

I’m configuring search-guard-ssl for elasticseach 2.1 but encountered some problems. Below is my configuration and the log information when starting elasticsearch. Could you please tell me what’s wrong with my configuration? Thanks a lot!

My configuration by referring to the wiki:

  1. generate the root ca by “./gen_root_ca.sh capassword_use_a_strong_one truststorepassword”
  2. sign CSR’s with the newly generated root CA above
    openssl ca \
-in ca/signing-ca.csr \
-notext \
-out signed-csr.pem \
-config etc/signing-ca.conf \
-extensions v3_req \
-batch \
-passin pass:capassword_use_a_strong_    one \
-extensions server_ext
3. distribute the truststore.jks(generated in step 1) to all elasticsearch node(I have only one elasticsearch node, named "elasticsearch-129") and put it into config dir.
4. Generate for **each** node a **separate** keystore.
        #Generate a new key
keytool -genkey \
-alias NODE_NAME \
-keystore NODE_NAME-keystore.jks \
-keyalg RSA \
-keysize 2048 \
-validity 712 \
-keypass mykspassword \
-storepass mykspassword \
-dname "CN=127.0.0.1, OU=department, O=company, L=localityName, C=US"
#Generate a CSR (Certificate signing request)
keytool -certreq \
-alias elasticsearch-129 \
-keystore elasticsearch-129-keystore.jks \
-file elasticsearch-129.csr \
-keyalg rsa \
-keypass mykspassword \
-storepass mykspassword \
-dname "CN=127.0.0.1, OU=department, O=company, L=localityName, C=US"
5. sign CRS generated above with the root ca generated in step 1.

6. import the signed CSR together with the root certificate chain into the keystore
cat ca/chain-ca.pem elasticsearch-129.pem | keytool \
-importcert \
-keystore elasticsearch-129-keystore.jks \
-storepass mykspassword \
-noprompt \
-alias elasticsearch-129
7. distribute the elasticsearch-129-keystore.jks to elasticsearch node and put it into the config dir.

Above is all my configuration. The following is the start log and I've highlighted the error message.

Elasticsearch SSL for free.

Search Guard SSL is a free and open source plugin for Elasticsearch which provides SSL for Elasticsearch. It does not provide authentication and authorization.

https://github.com/floragunncom/search-guard-ssl

Prerequisites:

  • Java 7 or 8 (recommended)
  • Elasticsearch 2.1.0

./bin/elasticsearch
[2016-02-02 16:53:33,146][WARN ][bootstrap] unable to install syscall filter: prctl(PR_GET_NO_NEW_PRIVS): Invalid argument
[2016-02-02 16:53:33,359][INFO ][node] [elasticsearch-129] version[2.1.0], pid[26946], build[72cd1f1/2015-11-18T22:40:03Z]
[2016-02-02 16:53:33,359][INFO ][node ] [elasticsearch-129] initializing …
[2016-02-02 16:53:33,582][INFO ][plugins] [elasticsearch-129] loaded [search-guard-ssl], sites
[2016-02-02 16:53:33,604][INFO ][env] [elasticsearch-129] using [1] data paths, mounts [[/home/work (/dev/sda3)]], net usable_space [82.3gb], net total_space [116.1gb], spins? [possibly], types [ext3]
[2016-02-02 16:53:33,659][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL not available because of java.lang.UnsatisfiedLinkError: netty-tcnative (Not found in java.library.path)
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportClientProvider:JDK
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportServerProvider:JDK
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslHTTPProvider:null
[2016-02-02 16:53:34,273][WARN ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] AES 256 not supported, max key length for AES is 128. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’
[2016-02-02 16:53:34,273][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isOpenSSL:false
[2016-02-02 16:53:34,273][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isJDKSSL:true
[2016-02-02 16:53:34,626][INFO ][transport] [elasticsearch-129] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]
[2016-02-02 16:53:36,168][INFO ][node] [elasticsearch-129] initialized
[2016-02-02 16:53:36,168][INFO ][node] [elasticsearch-129] starting …
[2016-02-02 16:53:36,231][INFO ][transport] [elasticsearch-129] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2016-02-02 16:53:36,239][INFO ][discovery] [elasticsearch-129] elasticsearch/TjQJb5iiQkGZcwW9lCjPWA
[2016-02-02 16:53:36,271][WARN ][com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [elasticsearch-129] exception caught on transport layer [[id: 0xf49f9829]], closing connection
java.lang.IllegalArgumentException: File does not contain valid certificates: /tmp/sg_609338662165226698.pem

at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:135)
at com.floragunn.searchguard.ssl.SearchGuardKeyStore.createClientTransportSSLEngine(SearchGuardKeyStore.java:305)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport$ClientSSLHandler.connectRequested(SearchGuardSSLNettyTransport.java:120)
at org.jboss.netty.channel.SimpleChannelHandler.handleDownstream(SimpleChannelHandler.java:272)
at org.jboss.netty.channel.DefaultChannelPipeline.sendDownstream(DefaultChannelPipeline.java:591)
at org.jboss.netty.channel.DefaultChannelPipeline.sendDownstream(DefaultChannelPipeline.java:582)
at org.jboss.netty.channel.Channels.connect(Channels.java:634)
at org.jboss.netty.channel.AbstractChannel.connect(AbstractChannel.java:216)
at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.jav a:229)
at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182)
at org.elasticsearch.transport.netty.NettyTransport.connectToChannelsLight(NettyTransport.java:913)
at org.elasticsearch.transport.netty.NettyTransport.connectToNode(NettyTransport.java:880)
at org.elasticsearch.transport.netty.NettyTransport.connectToNodeLight(NettyTransport.java:852)
at org.elasticsearch.transport.TransportService.connectToNodeLight(TransportService.java:250)
at org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing$3.run(UnicastZenPing.java:395)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:785)
Caused by: java.security.cert.CertificateException: found no certificates: /tmp/sg_609338662165226698.pem
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:83)
at io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:967)
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:133)
… 17 more

I’m new with SSL configuration. Thank you for your help.

On Sunday, December 13, 2015 at 3:59:24 AM UTC+8, in...@search-guard.com wrote:

Hello,

Please find the elasticsearch.yml in attachment. I’m not sure if the configuration is wrong.

elasticsearch.yml (7.14 KB)

···

----- Original message -----
From: info@search-guard.com
Sent by: search-guard@googlegroups.com
To: Search Guard search-guard@googlegroups.com
Cc:
Subject: [search-guard group] Re: Search Guard SSL for Elasticsearch 2.1 released
Date: Wed, Feb 3, 2016 1:57 AM
you can ignore all messages but not the last (java.lang.IllegalArgumentException: File does not contain valid certificates: /tmp/sg_609338662165226698.pem)

can you please post your elasticsearch.yml file?

Am Dienstag, 2. Februar 2016 11:15:12 UTC+1 schrieb …cp@…m.com:

Hello,

I’m configuring search-guard-ssl for elasticseach 2.1 but encountered some problems. Below is my configuration and the log information when starting elasticsearch. Could you please tell me what’s wrong with my configuration? Thanks a lot!

My configuration by referring to the wiki:

  1. generate the root ca by “./gen_root_ca.sh capassword_use_a_strong_one truststorepassword”
  2. sign CSR’s with the newly generated root CA above
    openssl ca
    -in ca/signing-ca.csr
    -notext
    -out signed-csr.pem
    -config etc/signing-ca.conf
    -extensions v3_req
    -batch
    -passin pass:capassword_use_a_strong_one
    -extensions server_ext3. distribute the truststore.jks(generated in step 1) to all elasticsearch node(I have only one elasticsearch node, named “elasticsearch-129”) and put it into config dir.4. Generate for each node a separate keystore.#Generate a new key
    keytool -genkey
    -alias NODE_NAME
    -keystore NODE_NAME-keystore.jks
    -keyalg RSA
    -keysize 2048
    -validity 712
    -keypass mykspassword
    -storepass mykspassword
    -dname “CN=127.0.0.1, OU=department, O=company, L=localityName, C=US”

#Generate a CSR (Certificate signing request)
keytool -certreq
-alias elasticsearch-129
-keystore elasticsearch-129-keystore.jks
-file elasticsearch-129.csr
-keyalg rsa
-keypass mykspassword
-storepass mykspassword
-dname "CN=127.0.0.1, OU=department, O=company, L=localityName, C=US"5. sign CRS generated above with the root ca generated in step 1.6. import the signed CSR together with the root certificate chain into the keystore

cat ca/chain-ca.pem elasticsearch-129.pem | keytool
-importcert
-keystore elasticsearch-129-keystore.jks
-storepass mykspassword
-noprompt
-alias elasticsearch-1297. distribute the elasticsearch-129-keystore.jks to elasticsearch node and put it into the config dir.Above is all my configuration. The following is the start log and I’ve highlighted the error message.

Elasticsearch SSL for free.

Search Guard SSL is a free and open source plugin for Elasticsearch which provides SSL for Elasticsearch. It does not provide authentication and authorization.

https://github.com/floragunncom/search-guard-ssl

Prerequisites:

  • Java 7 or 8 (recommended)
  • Elasticsearch 2.1.0

./bin/elasticsearch
[2016-02-02 16:53:33,146][WARN ][bootstrap] unable to install syscall filter: prctl(PR_GET_NO_NEW_PRIVS): Invalid argument
[2016-02-02 16:53:33,359][INFO ][node] [elasticsearch-129] version[2.1.0], pid[26946], build[72cd1f1/2015-11-18T22:40:03Z]
[2016-02-02 16:53:33,359][INFO ][node ] [elasticsearch-129] initializing …
[2016-02-02 16:53:33,582][INFO ][plugins] [elasticsearch-129] loaded [search-guard-ssl], sites
[2016-02-02 16:53:33,604][INFO ][env] [elasticsearch-129] using [1] data paths, mounts [[/home/work (/dev/sda3)]], net usable_space [82.3gb], net total_space [116.1gb], spins? [possibly], types [ext3]
[2016-02-02 16:53:33,659][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL not available because of java.lang.UnsatisfiedLinkError: netty-tcnative (Not found in java.library.path)
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportClientProvider:JDK
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportServerProvider:JDK
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslHTTPProvider:null
[2016-02-02 16:53:34,273][WARN ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] AES 256 not supported, max key length for AES is 128. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’
[2016-02-02 16:53:34,273][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isOpenSSL:false
[2016-02-02 16:53:34,273][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isJDKSSL:true
[2016-02-02 16:53:34,626][INFO ][transport] [elasticsearch-129] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]
[2016-02-02 16:53:36,168][INFO ][node] [elasticsearch-129] initialized
[2016-02-02 16:53:36,168][INFO ][node] [elasticsearch-129] starting …
[2016-02-02 16:53:36,231][INFO ][transport] [elasticsearch-129] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2016-02-02 16:53:36,239][INFO ][discovery] [elasticsearch-129] elasticsearch/TjQJb5iiQkGZcwW9lCjPWA
[2016-02-02 16:53:36,271][WARN ][com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [elasticsearch-129] exception caught on transport layer [[id: 0xf49f9829]], closing connection
java.lang.IllegalArgumentException: File does not contain valid certificates: /tmp/sg_609338662165226698.pem

at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:135)
at com.floragunn.searchguard.ssl.SearchGuardKeyStore.createClientTransportSSLEngine(SearchGuardKeyStore.java:305)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport$ClientSSLHandler.connectRequested(SearchGuardSSLNettyTransport.java:120)
at org.jboss.netty.channel.SimpleChannelHandler.handleDownstream(SimpleChannelHandler.java:272)
at org.jboss.netty.channel.DefaultChannelPipeline.sendDownstream(DefaultChannelPipeline.java:591)
at org.jboss.netty.channel.DefaultChannelPipeline.sendDownstream(DefaultChannelPipeline.java:582)
at org.jboss.netty.channel.Channels.connect(Channels.java:634)
at org.jboss.netty.channel.AbstractChannel.connect(AbstractChannel.java:216)
at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.jav a:229)
at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182)
at org.elasticsearch.transport.netty.NettyTransport.connectToChannelsLight(NettyTransport.java:913)
at org.elasticsearch.transport.netty.NettyTransport.connectToNode(NettyTransport.java:880)
at org.elasticsearch.transport.netty.NettyTransport.connectToNodeLight(NettyTransport.java:852)
at org.elasticsearch.transport.TransportService.connectToNodeLight(TransportService.java:250)
at org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing$3.run(UnicastZenPing.java:395)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:785)
Caused by: java.security.cert.CertificateException: found no certificates: /tmp/sg_609338662165226698.pem
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:83)
at io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:967)
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:133)
… 17 more

I’m new with SSL configuration. Thank you for your help.

On Sunday, December 13, 2015 at 3:59:24 AM UTC+8, in...@search-guard.com wrote:


You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/qUuDnFmOFJY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1cb1fc6b-65f4-4c8c-b5bd-558f7d04593d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hi,

I didn’t deploy elasticsearch in any Servlet container, but referring to the wiki, I added a tomcat native jar file into the search-guard-ssl folder since using openssl to generate certificate.

Do I need to deploy elasticsearch in any container in order to enable SSL? Thanks a lot for your help(^_^)

···

----- Original message -----
From: info@search-guard.com
Sent by: search-guard@googlegroups.com
To: Search Guard search-guard@googlegroups.com
Cc:
Subject: [search-guard group] Re: Search Guard SSL for Elasticsearch 2.1 released
Date: Wed, Feb 3, 2016 1:57 AM
you can ignore all messages but not the last (java.lang.IllegalArgumentException: File does not contain valid certificates: /tmp/sg_609338662165226698.pem)

can you please post your elasticsearch.yml file?

Am Dienstag, 2. Februar 2016 11:15:12 UTC+1 schrieb …cp@…m.com:

Hello,

I’m configuring search-guard-ssl for elasticseach 2.1 but encountered some problems. Below is my configuration and the log information when starting elasticsearch. Could you please tell me what’s wrong with my configuration? Thanks a lot!

My configuration by referring to the wiki:

  1. generate the root ca by “./gen_root_ca.sh capassword_use_a_strong_one truststorepassword”
  2. sign CSR’s with the newly generated root CA above
    openssl ca
    -in ca/signing-ca.csr
    -notext
    -out signed-csr.pem
    -config etc/signing-ca.conf
    -extensions v3_req
    -batch
    -passin pass:capassword_use_a_strong_one
    -extensions server_ext3. distribute the truststore.jks(generated in step 1) to all elasticsearch node(I have only one elasticsearch node, named “elasticsearch-129”) and put it into config dir.4. Generate for each node a separate keystore.#Generate a new key
    keytool -genkey
    -alias NODE_NAME
    -keystore NODE_NAME-keystore.jks
    -keyalg RSA
    -keysize 2048
    -validity 712
    -keypass mykspassword
    -storepass mykspassword
    -dname “CN=127.0.0.1, OU=department, O=company, L=localityName, C=US”

#Generate a CSR (Certificate signing request)
keytool -certreq
-alias elasticsearch-129
-keystore elasticsearch-129-keystore.jks
-file elasticsearch-129.csr
-keyalg rsa
-keypass mykspassword
-storepass mykspassword
-dname "CN=127.0.0.1, OU=department, O=company, L=localityName, C=US"5. sign CRS generated above with the root ca generated in step 1.6. import the signed CSR together with the root certificate chain into the keystore

cat ca/chain-ca.pem elasticsearch-129.pem | keytool
-importcert
-keystore elasticsearch-129-keystore.jks
-storepass mykspassword
-noprompt
-alias elasticsearch-1297. distribute the elasticsearch-129-keystore.jks to elasticsearch node and put it into the config dir.Above is all my configuration. The following is the start log and I’ve highlighted the error message.

Elasticsearch SSL for free.

Search Guard SSL is a free and open source plugin for Elasticsearch which provides SSL for Elasticsearch. It does not provide authentication and authorization.

https://github.com/floragunncom/search-guard-ssl

Prerequisites:

  • Java 7 or 8 (recommended)
  • Elasticsearch 2.1.0

./bin/elasticsearch
[2016-02-02 16:53:33,146][WARN ][bootstrap] unable to install syscall filter: prctl(PR_GET_NO_NEW_PRIVS): Invalid argument
[2016-02-02 16:53:33,359][INFO ][node] [elasticsearch-129] version[2.1.0], pid[26946], build[72cd1f1/2015-11-18T22:40:03Z]
[2016-02-02 16:53:33,359][INFO ][node ] [elasticsearch-129] initializing …
[2016-02-02 16:53:33,582][INFO ][plugins] [elasticsearch-129] loaded [search-guard-ssl], sites
[2016-02-02 16:53:33,604][INFO ][env] [elasticsearch-129] using [1] data paths, mounts [[/home/work (/dev/sda3)]], net usable_space [82.3gb], net total_space [116.1gb], spins? [possibly], types [ext3]
[2016-02-02 16:53:33,659][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL not available because of java.lang.UnsatisfiedLinkError: netty-tcnative (Not found in java.library.path)
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportClientProvider:JDK
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportServerProvider:JDK
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslHTTPProvider:null
[2016-02-02 16:53:34,273][WARN ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] AES 256 not supported, max key length for AES is 128. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’
[2016-02-02 16:53:34,273][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isOpenSSL:false
[2016-02-02 16:53:34,273][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isJDKSSL:true
[2016-02-02 16:53:34,626][INFO ][transport] [elasticsearch-129] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]
[2016-02-02 16:53:36,168][INFO ][node] [elasticsearch-129] initialized
[2016-02-02 16:53:36,168][INFO ][node] [elasticsearch-129] starting …
[2016-02-02 16:53:36,231][INFO ][transport] [elasticsearch-129] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2016-02-02 16:53:36,239][INFO ][discovery] [elasticsearch-129] elasticsearch/TjQJb5iiQkGZcwW9lCjPWA
[2016-02-02 16:53:36,271][WARN ][com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [elasticsearch-129] exception caught on transport layer [[id: 0xf49f9829]], closing connection
java.lang.IllegalArgumentException: File does not contain valid certificates: /tmp/sg_609338662165226698.pem

at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:135)
at com.floragunn.searchguard.ssl.SearchGuardKeyStore.createClientTransportSSLEngine(SearchGuardKeyStore.java:305)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport$ClientSSLHandler.connectRequested(SearchGuardSSLNettyTransport.java:120)
at org.jboss.netty.channel.SimpleChannelHandler.handleDownstream(SimpleChannelHandler.java:272)
at org.jboss.netty.channel.DefaultChannelPipeline.sendDownstream(DefaultChannelPipeline.java:591)
at org.jboss.netty.channel.DefaultChannelPipeline.sendDownstream(DefaultChannelPipeline.java:582)
at org.jboss.netty.channel.Channels.connect(Channels.java:634)
at org.jboss.netty.channel.AbstractChannel.connect(AbstractChannel.java:216)
at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.jav a:229)
at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182)
at org.elasticsearch.transport.netty.NettyTransport.connectToChannelsLight(NettyTransport.java:913)
at org.elasticsearch.transport.netty.NettyTransport.connectToNode(NettyTransport.java:880)
at org.elasticsearch.transport.netty.NettyTransport.connectToNodeLight(NettyTransport.java:852)
at org.elasticsearch.transport.TransportService.connectToNodeLight(TransportService.java:250)
at org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing$3.run(UnicastZenPing.java:395)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:785)
Caused by: java.security.cert.CertificateException: found no certificates: /tmp/sg_609338662165226698.pem
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:83)
at io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:967)
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:133)
… 17 more

I’m new with SSL configuration. Thank you for your help.

On Sunday, December 13, 2015 at 3:59:24 AM UTC+8, in...@search-guard.com wrote:


You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/qUuDnFmOFJY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1cb1fc6b-65f4-4c8c-b5bd-558f7d04593d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.